CISA warns of ‘Firestarter’ malware

Firewalls sit at the network edge, checking traffic before it reaches internal systems. On April 23, CISA said attackers planted FIRESTARTER on Cisco Firepower and Secure Firewall devices and kept access even after patching. (cisa.gov 1) (cisa.gov 2) CISA described FIRESTARTER as a backdoor, which is a hidden way back into a device after the initial break-in. The agency said the malware targets publicly accessible Cisco devices running Adaptive Security Appliance, or ASA, and Firepower Threat Defense, or FTD, software. (cisa.gov) The key detail is where the malware hides. Cisco said the persistence mechanism lives in Firepower eXtensible Operating System, or FXOS, the base operating system under ASA and FTD on affected hardware. (sec.cloudapps.cisco.com 1) (sec.cloudapps.cisco.com 2) That means a software upgrade can close the original holes without ejecting an attacker who is already inside. CISA said its forensic work found that firmware patching on compromised devices did not necessarily remove the threat actor. (cisa.gov) The April 23 warning also changed what federal civilian agencies must do under Emergency Directive 25-03. CISA said agencies now have to identify specified Firepower and Secure Firewall devices, collect forensic data, and apply new Cisco updates. (cisa.gov 1) (cisa.gov 2) For federal agencies, CISA’s malware report says the first step is to collect and submit core dumps, then wait for further guidance. For everyone else, the agency said to run YARA detection rules on a disk image or core dump, report hits to CISA or the U.K. National Cyber Security Centre, and start incident response if compromise is confirmed. (cisa.gov) The story did not start this month. Cisco said it was already investigating attacks on ASA and FTD platforms in early 2024, a campaign it named ArcaneDoor, after attackers implanted malware, ran commands, and potentially exfiltrated data. (sec.cloudapps.cisco.com) Cisco later said a related 2025 wave hit ASA 5500-X devices with VPN web services enabled, and attackers exploited CVE-2025-20333 and CVE-2025-20362 before customers installed September 2025 fixes. The company said the newly disclosed persistence method broadened risk beyond the earlier device set to any hardware running ASA or FTD on affected platforms. (sec.cloudapps.cisco.com) (sec.cloudapps.cisco.com) CISA said it has observed one successful FIRESTARTER implant in the wild on a Cisco Firepower device running ASA software, even though the guidance applies to both Firepower and Secure Firewall products. That makes this less a routine patch cycle than a hunt for devices that may already be carrying a hidden foothold. (cisa.gov)